|
Memory security is not a new concept, but the surge in remote work and connectivity due to the COVID-19 pandemic means that protecting information security has become more important and even more challenging, especially for emerging use cases such as cross-communication infrastructure data sharing, including 5G. At the same time, security features will add complexity to memory design. [[345726]]
Even before the dramatic growth of markets such as edge computing, the Internet of Things (IoT), and connected vehicles, security features in memory were gradually increasing. Electrically erasable programmable read-only memory (EEPROM) is a favorite of credit cards, SIM cards, and keyless entry systems; the "S" in SD cards stands for "secure"; and flash-based solid-state drives (SSDs) have had encryption features built in for years.
Security is firmly embedded in memory and connected devices distributed throughout computing systems and network environments, but this memory-based security still has to account for human error—security experts still need to deal with the consequences of a user opening a virus disguised as an attachment or a router being misconfigured. Similarly, secure memory cannot fully function unless it is properly configured and coordinated with the entire system, including software.
You could say that two kinds of "SoCs" are converging: security operations center and systems on chip. Companies like Rambus offer products designed to protect every link in response to the increased bandwidth requirements for cloud and edge computing server links. Infineon is also expanding its Cypress Semper NOR flash memory to address the problem that every connected system will inevitably face hackers tampering with the contents of flash components.
Tampering could affect any number of different computing platforms, including self-driving vehicles, which are essentially servers on four wheels, as well as industrial, medical, and Internet of Things (IoT) applications enhanced by 5G connectivity. Security not only needs to be integrated but also managed throughout the lifecycle of different devices, some of which may last up to a decade with embedded memory. Applications with high memory content are the most attractive to hackers.
Market analyst Thomas Coughlin said that encryption key management remains the key to ensuring system security; with the proliferation of non-volatile memory, it is increasingly important to build security into embedded systems because data is permanently stored even when the device is powered off. Coughlin pointed out that adding security features is not so challenging, such as data on SSDs can be encrypted; "The question is whether users can easily use these features, because the weakest link is usually people."
Smartphones become an identity authentication proxy because biometrics replace traditional passwords; but this scenario opens the possibility of unencrypted data being accidentally exposed. Coughlin pointed out that the risk lies in implementation flaws or complexity: "Making security simple is the key, which is more important than encrypting data and putting it in hardware."
Scott Phillips, vice president of marketing at Virtium, a supplier of SSDs and memory, said that encrypting SSDs is limited and requires a multi-layered, managed approach. He pointed out that specifications such as the Trusted Computing Group's Opal specification can achieve BIOS-level pre-boot authentication, configuration and centralized management, which are very critical functions in preventing hackers; "But even companies of considerable size cannot achieve comprehensive and complete security."
As 5G accelerates, efforts are being made to protect data paths across the entire data center and between data centers; however, challenges remain to fully leverage the benefits of hardware security.
The need for integration
In the industrial application market, consolidation requires combining different systems; at the same time, hyperscale data center operators such as AWS and Microsoft Azure are actively promoting data security. However, Phillips pointed out that these defenses still need to be implemented to the end user. Despite the increasing number of standards and requirements, the interoperability of security solutions is still an issue, and suppliers are still trying to position their products and services as market leaders.
"Hackers are always one step ahead," Phillips added. "They know where all those little holes are, and that's what they're looking for; it really takes a centralized, super-attentive IT person or department to go through and close those holes."
The idea of embedding security into memory devices rather than bolting it on is different from software solutions. The basic concept of "DevSecOp" (EETT editor's note: a combination of the three words Development, Security and Operation) is about making security and privacy protection an integral part of the application development process.
An emerging framework called "confidential computing" aims to protect data in use by isolating computing in a hardware-based trusted execution environment (TEE). During processing, data is encrypted in memory and elsewhere outside the CPU.
Intel's SGX enables a trusted computing environment, a secure area of main memory that ensures that loaded code and data are protected in terms of confidentiality and integrity.
Software and hardware companies are promoting confidential computing, including Google, which recently announced that it will be used for container workloads; Intel also implements TEE for cloud service providers such as Microsoft Azure through Intel Software Guard Extensions. Confidential computing requires the sharing of security responsibilities, but Simon Johnson, senior principal engineer of Intel Product Assurance and Security Architecture, believes that humans are still the weakest link.
Johnson said Intel supports developers in protecting data through the execution of program code, and the confidential computing movement stems from the need for enterprises to protect data from various sources, including sensitive health care information, financial records and intellectual property (IP). He pointed out that the platform provider should not be able to see the data, "You want to keep as many people away from your personal information as possible."
Intel SGX includes hardware-based memory encryption that isolates application-specific code and data in memory, allowing user-level program code to be assigned to a dedicated "enclave" separate from handlers executing at higher privilege levels. This enables more granular control and protection against cold boot attacks such as those targeting RAM. The framework is also designed to protect against software attacks, even when the operating system, drivers, BIOS, or hypervisor are compromised.
Confidential computing can support workloads such as analysis of large data sets that do not belong to the user, as well as allowing encryption keys to be executed closer to the workload to improve latency. "Right now we really only have software that provides protection, and we lack hardware protection solutions in those types of environments," Johnson said, noting that confidential computing can protect the processing of data or program code through the hardware and software ecosystem authorized by the Confidential Computing Consortium.
Virtium's Philips noted that ease of use has always been key to improving security, so having "trigger-ready" memory encryption is a goal: "The full security will come from all the add-ons on top of it;" he said, noting that the idea is not just to encrypt the memory, but to ensure complete data isolation to ensure a secure environment, "Confidential computing is not just about encrypting the memory."
It’s also about accommodating a heterogeneous integrated world; “When data is in use, you have to provide an access control layer and be able to prove that you are using the software, the data is in a certain area; all of this is built in a ladder-like manner,” he said.
|
